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Abstract: Wireless sensor networks (WSNs) can be quickly and randomly deployed in any 
harsh and unattended environment and only authorized users are allowed to access reliable 
sensor nodes in WSNs with the aid of gateways (GWNs). Secure authentication models 
among the users, the sensor nodes and GWN are important research issues for ensuring 
communication security and data privacy in WSNs. In 2013, Xue et al. proposed a 
temporal-credential-based mutual authentication and key agreement scheme for WSNs. 
However, in this paper, we point out that Xue et a/.'s scheme cannot resist stolen- verifier, 
insider, off-line password guessing, smart card lost problem and many logged-in users' 
attacks and these security weaknesses make the scheme inapplicable to practical WSN 
applications. To tackle these problems, we suggest a simple countermeasure to prevent 
proposed attacks while the other merits of Xue et al.'s authentication scheme are 
left unchanged. 

Keywords: cryptanalysis; key agreement; mutual authentication; temporal credential; 
wireless sensor network 
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1. Introduction 

Wireless sensor networks are innovative ad hoc networks that include a large number of sensor 
nodes with resource-constrained characteristics such as limited power, communication and computational 
capabilities [1-4]. As soon as sensor nodes are massively and randomly deployed in a target field, the 
basic functions of the gateway node are to collect sensitive data for authorized users [5,6]. In many 
cases, a WSN may be deployed in hostile environments and malicious intruders may launch possible 
attacks for disrupting the normal operations (such as impersonating a legal user to abuse the network 
resources, inject false messages or invalid sensors into the WSN, launch security attacks and so on) of 
a WSN. Therefore, entity authentication [7-16] plays an important role in WSNs and logging-in users 
and deployed sensors should be authenticated to be the admissible participants by the GWN. 

In the recent literature, there are a few works that detail a complete secure user authentication 
schemes for wireless sensor networks with all their different features. In [17] Das proposed an efficient 
two-factor scheme of user authentication, which is based on easy-to-remember passwords and smart 
cards. In Das' scheme, it only needs XOR and hashing computations and this reduces the 
computational complexity, which is suitable for resource-constrained WSNs. Although Das' scheme 
enhances system performance, it did not make up for the security weaknesses [18-20]. Das' scheme 
has later attracted a lot of attention and several two-factor user authentication schemes with mutual 
authentication and key agreement have been proposed in Li et al. [20], Yeh et al. [21], Das et al. [22], 
Li et al. [23], and Xue et al. [24]. In [20], Li et al. proposed a secure billing service based on the 
framework of Das' scheme. In [21], Yeh et al. introduced an ECC-based user authentication scheme 
for preventing all the security flaws of the previous scheme [25]. However, in [23], Li et al. showed 
that Yeh et al.'s scheme is insecure against several security attacks and further proposed an improved 
version of Yeh et al.'s scheme, which covers all the identified weaknesses and is more efficient for 
practical WSN environments. In [24], Xue et al. suggest a lightweight temporal-credential-based 
mutual authentication and key agreement scheme that not only provides more functionality features 
with higher security, but also ensures low costs of computation, communication and storage. 

1.1. Our Contributions 

Contributions made in this work can be summarized as follows: 

i. We analyze the security weaknesses of one of the most recent temporal-credential-based 
authentication schemes for WSNs proposed by Xue et al. [24]. Xue et al. claimed that their 
authentication scheme is secure against various known attacks with mutual authentication and 
key agreement and is suitable for resource-constrained WSNs. However, we find that 
Xue et al.'s authentication scheme still has other security weaknesses such as disclosure of the 
password and failing to prevent the lost smart card problem and many logged-in users' attacks. 

ii. We propose an advanced scheme to prevent the security threats of Xue et al.'s authentication 
scheme and the phases in our scheme are shown to be efficient in terms of computational 
complexity and communication overhead. 

iii. Our advanced scheme provides both mutual authentication and key agreement among the user, 
GWN and the sensor node in wireless sensor networks. 
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iv. Our three -party authentication scheme can be used to verify users and sensor nodes without 
revealing their passwords whenever it is deemed to be necessary. 

v. A service period feature can be used to revoke users or sensor nodes in a controlled manner and 
prevent abuse by an authority node GWN. 

vi. Status-bit and login recording features are efficiently implemented and assist in catching 
misbehaving attackers trying to abuse network resources. The above-mentioned features are 
especially useful when non-registered attackers attempt illegal activities such as many 
logged-in user attacks. 

1.2. Organization of the Paper 

The remainder of the paper is organized as follows: Section 2 reviews Xue et al.'s authentication 
scheme [24], whose security weaknesses are shown in Section 3. We propose an advanced 
authentication scheme with higher security in Section 4, whose security and comparisons of related 
schemes are analyzed in Section 5 and Section 6, respectively. Section 7 concludes the paper. 

2. A Review of Xue et al. 's Temporal-Credential-Based Authentication Scheme 

In this section, we review Xue et al.'s temporal-credential-based mutual authentication 
scheme [24]. This scheme is mainly composed of three phases: registration, login, authentication and 
key agreement. Moreover, their scheme is composed of three roles: gateway node (GWN), sensor node 
(Sj) and user ([/,-). For convenience of description, we summarize the notations used throughout this 
paper in Table 1 . 

Table 1. Notations used throughout this paper. 



Symbol Description 



Ui 


User 


Sj 


Sensor node 


GWN 


Gateway node 


ID/PWi 


Identity /Password of the user t/,- 


SID/PWj 


Pre-configured identity/password of the sensor node Sj 


Kgwn_u/Kgwn_s 


Two private system parameters only know to GWN 


TC/TCj 


A temporal credential issued by GWN to UJSj 


TS 


The timestamp value 


KEY, 


The shared session key between [/,• and Sj 


TEi 


The expiration time of t/,-'s temporal credential 


e 


The bitwise exclusive-OR operation 


//(.) 


The one-way hashing function 


ii 


The bitwise concatenation operation 
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2.1. Registration Phase 

Before registration of the user t/, and the sensor node Sj, each Ui has a secure password pre-shared 
with GWN and £/,'s identity IDi and hash value of t/,'s password H{PWj) are stored in GWN's side. 
Moreover, each Sj has a pre-configured password PW, and hash value of 5/s password H{PWj) is 
stored in GWN's side. This phase has two parts for Ui and Sj and we review them as follows: 

(U-l) Ui selects ID t and computes V7; = H(TSi\\ H(PWd) and sends {/£>,-, TS U V7,-} to GWN via an 

open and public channel, where TlSi is current timestamp value of [/,-. 
(U-2) After receiving the registration request from [/,-, GWN checks if \TS\ — T* GWN [ < AT, where 

T*gwn is the current system timestamp of GWN and AT is the expected time interval for the 
transmission delay. If it does not hold, GWN sends REJ message back to U t . Otherwise, GWN 
retrieves its own copy of H(PWi) by using the key "ZD", computes VI* = H(TSi\\ H(PWi)) and 
checks if VI* = VI t . If not, GWN terminates it; otherwise, GWN computes P t = H(ID l \\TE l ), 
Td = H(K GWN U \\Pi\\TEi) and PTQ = TQ®H(PWd and personalizes the smart card for U t with 

the parameters: {//(•), ZD,, H(H(PWd), TE U PTQ}. 

Before deployment of sensor nodes in a target field, each Sj performs the following steps for 
registration: 

(S-l) Sj computes VIj = H(TS 2 \\H{PWj)) and sends {SIDj, TS 2 } to GWN via an open and public 
channel, where TS 2 is current timestamp value of Sj. 

(S-2) After receiving the message from Sj, GWN checks if \TS 2 — T* GW n I < AT, where T* GW n is the 
current system timestamp of GWN and AT is the expected time interval for the transmission 
delay. If it does not hold, GWN sends REJ message back to Sj. Otherwise, GWN retrieves its 
own copy of H(PWj) by using the key "SIDf, computes VI* = H(TS 2 \\H(PWj)) and check if 
VIj* = VIj. If not, GWN terminates it; otherwise, GWN computes TCj = H(K GWN J\ SIDj) and 
REGj = H(H(PWj)\\TS 3 )®TCj and sends {TS 3 , REGj} to Sj. 

(S-3) After receiving the message from GWN, Sj checks if \TS 3 — 7} I < AT , where 7) is the 

current timestamp value of Sj. If not, Sj terminates it; otherwise, Sj computes its temporal 
credential TCj = REGj®H(H(PWj)\\TS 3 ) and stores it. 

2.2. Login Phase 

If the user Ui wants to access sensor data from the wireless sensor network, Ui inserts a smart card 
into a terminal and enters IDi and PWu The terminal computes H(H(PWi)) and checks the validity of 
IDi and PWi with the stored IDi and H(H(PWi)). If not, the smart card terminates this login request. 
Otherwise, Ui passes the verification and he/she can read the information stored in the smart card. Ui 
computes TQ = PTQ®H(PWd. 

2.3. Authentication and Key Agreement Phase 

(A-l) Ui computes DID t = ID t © H(TCi\\TS 4 ), Q = H(H(IDi\\TS 4 ) © TQ) and 
PKSi = Ki®H(TCi\\TS 4 \\"000") and sends the mutual authentication message {DIDi, Q, PKS { , 
TS 4 , TEi, Pi} to GWN, where TS 4 is current timestamp value of Ui, K t is a random key only 
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known to Ui and the binary number "000" is used for distinguishing HiTCMTS^OOO") and 
H(TCi\\TS 4 ). 

(A-2) After receiving the message from Ui, GWN checks the validity of TS4. If TS4 is valid for the 
transmission delay, GWN computes ID t = DID i @H(H(K GWN U \\P i \\TE i )\\TS4), P* = H(IDi\\TEi), 
Td = HiKcwN uttPiWTEd and C* = H(H(ID*\\TS 4 )®TCd and verifies whether C* ± Q or P* £ 
Pi. If it holds, GWN rejects C/ ; 's login request; otherwise, GWN computes K t = PKSi® 

HiTCiWTS^rOOO") and chooses a nearby suitable sensor node Sj as the accessed sensor node. 
GWN further computes S/s temporal credential TCj = H(K GWNS \\SID } ), DID GWN = ID t ® 
H(DIDi\\TCj\\TS 5 ), Cgwn = H(IDi\\TCj\\TS 5 ) and PKS GWN = Ki®H(TCj\\TS 5 ) and sends {TS 5 , DID t , 
DID GWN , C GW n, PKSgwn} to Sj, where TS 5 is current timestamp value of GWN. 

(A-3) After receiving the message from GWN, Sj checks the validity of TS5. If TS5 is valid for the 
transmission delay, Sj computes ID t = DID GWN @H{DIDi\\TCj\\TS 5 ) and C* GWN = H(ID,\\TCjl\TSs) 
and checks if C* GWN = C GW n- If not, Sj terminates this session. Else, Sj convinces that the 
received message is from a legitimate GWN. Moreover, Sj computes K t = PKS G wn © 
H(TCj\\TS 5 ), Cj = H(Kj\\IDj\\SIDj\\TS 6 ) and PKSj = Kj®H(K,\\TS 6 ) and sends [SIDj, TS 6 , Q, PKSj} 
to Ui and GWN, where Kj is a random key chosen by Sj. 

(A-4) After receiving the message from Sj, Ui and GWN separately computes Kj=PKSj®H(K l \\TSt) 

and C* = H{Kj\\IDi\\SIDj\\TS 6 ). For GWN, if C* = Cj, Sj is authenticated by GWN. For the user 
Ui, if Cj* = Cj, Sj and GWN are authenticated by £/,-. Finally, Ui and Sj can separately compute a 
common session key KEYy = H(Ki © Kj) and U t and Sj will use KEYy for securing 

communications in future. 

3. Security Analysis on Xue et al. 's Scheme 

Xue et al. claimed that their authentication scheme is robust and secure against insider, password 
guessing and stolen smart card attacks. In fact, based on our security analysis, we observe that 
Xue et al.'s temporal-credential based scheme is insecure against these security requirements. The 
details of our attacks are as follows. 

3.1. Stolen Verifier and Insider Attack 

In Xue et al.'s, scheme, GWN needs to maintain the verifier table and it stores each Ufs identity ID t 
and hash value to C/ ; 's password H(PWi) in GWN's side. In a practical environment, the PWi chosen by 
Ui could be short and easily human memorizable, which might be convenient for Ui to remember 
easily and in practice many users use same identities and passwords to access various online 
applications or remote servers for their convenience. Thus, we assume that an attacker Ua may steal 
the password-verifier from GWN's database and launches off-line guessing attacks on it to obtain [/,-'s 
real password PW { . The details of stolen verifier attack are as follows. 

Step 1: Ua steals verifier table from GWN's database and retrieves the hash value of t/;'s password 
H(PWd. 

Step 2: Ua guesses a password PW* and computes H(PWi ). 
Step 3: U A compares the result of H(PW*) with stolen H(PWi). 
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A match in Step 3 above indicates the correct guessing of t/,'s easy-to-remember password and 
Xue et al.'s authentication scheme then cannot resist the stolen verifier attack. Moreover, if a 
privileged insider of GWN knows £/,'s password PWi, he/she may try to use the knowledge of t/,'s PWi 
and IDi to access other applications or servers. 

3.2. Off -Line Password Guessing Attack 

In step (U-l) of registration phase of Xue et al.'s scheme, Ui sends {IDi, TSu VI )} to GWN via an 
open and public environment, where TS\ is current timestamp value of £/, and V7, = H(TSi\\H(PWi)). If 
an attacker Ua eavesdrops Ufs registration message {IDi, TS\, VL}, Ua can launch the off-line 
password guessing attack by performing the following step: 

Step 1: Ua guesses a password PW* and computes VI* = H(TSi\\H(PW*)). 
Step 2: Ua compares the result of VL with eavesdropped VL. 

A match in Step 2 above indicates the correct guessing of C/,'s easy-to-remember password and Xue 
et al.'s authentication scheme suffers from off-line password guessing attack in user side. On the other 
hand, in step (S-l) of registration phase, Sj sends {SIDj, TS2, VL} to GWN via an open and public 
environment, where TS2 is the current timestamp value of Sj and Vlj = H(TS2\\H(PWj)). If an attacker 
U A eavesdrops Sfs registration message {SIDj, TS 2 , Vlj}, U A can launch an off-line password guessing 
attack by performing the following steps: 

Step 1: Ua guesses a password PWj* and computes Vlj* = H(TS2\\H(PWj*)). 
Step2: Ua compares the result of Vlj* with eavesdropped Vlj. 

A match in Step 2 above indicates the correct guessing of 5/s password and Xue et al.'s authentication 
scheme is then open to an off-line password guessing attack on the sensor side. Moreover, once Ua has 
successfully guessed 5/s random password, Ua can use PWj and the eavesdropped message in step 
(S-2) of the registration phase to derive 5/s temporal credential TCj by computing TCj=REGj® 

H(H(PWj*)\\TS3) = H(K GW N_s\\SIDj). Finally, Xue et al.'s scheme may suffer from masquerading attacks 
and an attacker Ua who knows TCj can easily impersonate the sensor node Sj. 

3.3. Lost Smart Card Problem 

Let us consider the scenario of a lost smart card problem. In the case where t/;'s smart card is lost and it 
is picked up by an attacker U A , the stored parameters can be extracted by launching a power analysis 
attack [22]. As we know, the content of U's smart card is {//(•), ID U H(H(PWd), TE t , PTQ}. With 
this information, Ua can launch another off-line password guessing attack by performing the 
following steps: 

Step 1: Ua guesses a password PW* and computes H(H(PW*)). 

Step 2: U A compares the result of H(H(PW*)) with extracted H(H(PW*)). 

If Step 2 holds, the guessed password PW* is the same as t/,'s real password PW t . Otherwise, U A 
tries another password. Once Ua successfully guesses C/ ; -'s real password, Ua can use PWi and the 
content of t/,'s smart card to derive t/,'s temporal credential Td by computing Td = PTCi@H(PW*) = 
H(K GW N_u\\PiWTEi). Thus, Xue et al.'s scheme may suffer from masquerading attacks and an attacker 
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Ua who knows Td can easily impersonate a legal user U, to log in to the gateway node and GWN is 
not aware of having caused any problem. 

3.4. Many Logged-in Users ' Problem 

The many logged-in users attack [26,27] means that if a registered user C/ ( 's smart card is massively 
duplicated and his/her identity IDi and password PW, are exposed to m non-registered users U a , where 
a = 1,2, m. Each one who has a smart card and knows ID, and PW, can log in to GWN at the same 
time and GWN is not aware of having caused any problem. In Xue et al.'s scheme, each non-registered 
user U a generates his/her timestamp TS a and random key K a and sends a legal login message {DID a , 
C a , PKS a , TS a , TEt, Pi] to GWN, where DID a = /A© H(TQ\\TS a ), C a = H(H(IDi\\TS a )®TCd and 
PKS a = Ka^HiTQUTSairOOO"). After receiving all the login requests from U a , GWN gets the same 
identity ID t with different timestamps TS a and random keys K a and GWN allows them to log in and 
access Ufs account simultaneously. 

4. Advanced Authentication Scheme 

In this section, we propose an advanced scheme with strong security. Our advanced scheme consists 
of four phases, namely pre-registration phase, registration phase, login phase, authentication and key 
agreement phase. The details of each of these phases are as follows. 

4.1. P re-Registration Phase 

Before registration of the user U\ and the sensor node Sj, each Ui has a pre-configured pair of 
identity ID, pre and password PW l pre with GWN and the unique parameter H(IDF re \\PWF re ) and lDf re are 
kept by GWN to check the validity of registration user. Moreover, each Sj has a pre-configured identity 
SIDj and a 160-bits random number ry and the hash value of S/s pre-configured identity and random 
number H(SIDj\\r } ) and SIDj are stored on the GWN's side. 

4.2. Registration Phase 

This phase has two parts for Ui and Sj and the details will be described as follows: 

(U-l) Ui selects his/her own IDi and password PWu Then £/, computes V7, = 
H(TSj\\H(IDr\\PWD), CIi=H(IDr\\PWr)®H(IDi\\PWi\\rd, DI t = IDi@H(IDr\\PWr) and 
sends {IDf re , TSu Vli, Clu Dl{\ to GWN via an open and public channel, where TS\ is current 
timestamp value of Ui and r, is a random number generated by [/,-. 

(U-2) After receiving the registration request from Ui, GWN checks if \TSi~ T*gwn I < AT, where 
T*gwn is the current system timestamp of GWN and AT is the expected time interval for the 
transmission delay. If it does not hold, GWN sends REJ message back to Ui. Otherwise, GWN 
retrieves its own copy of H{lD? re \\PWf re } by using the parameter "lD? re " , computes VI* = 
H(TSi\\ H(IDr\\PWD) and checks if VI* = VI t . If not, GWN terminates it; otherwise, GWN 
computes &=C/ ; © H(IDF re \\PWF re ) = H(IDi\\PWi\\n), IDi = Dh © H(IDF re \\PWF re ), Pi = 
H(IDi\\TEi), TQ = H(K GWN U \\Pi\\TEi) and PTQ = TQ®Qi and personalizes the smart card for 
Ui with the parameters: {//(•), H{Q l ), TE t , PTQ}. Note that GWN maintains a write protected 
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file as depicted in Table 2, where the Status-bit indicates the status of the user, i.e., when [/,■ is 
logged-in to GWN, the status-bit is set to one, otherwise it is set to zero. Finally, GWN sends 
H(Qi) and smart card to JJ\ via an public and open environment. 
(U-3) After receiving H(Qj) and smart card from GWN, t/, checks whether the computed 
H(H(IDi\\PWi\\ri)) is equal to H(Qi). If they are not equal, t/, aborts this session and the smart 
card. Otherwise, GWN is authenticated by U,. Ut enters r, into his/her smart card and £/,'s smart 
card contains {//(•), H(Qi), TEi, PTQ, r,}. Note that t/, does not need to remember r, after 
finishing this phase. The communication handshakes of the registration phase of the user £/,■ are 
depicted in Figure 1. 

Table 2. The identity table of GWN after finishing the registration phase. 



User Identity 


Password- Verifier 


Status-Bit 


Last Login 


Service Period 




Q, 


0/1 


N/A 





Figure 1. Communication handshakes of the registration phase of the user Uu 



User (Ui] 



Gateway node 



Sensor (Sj) 



Send {SIDj.TS2.VIj} 

Compute Vi; = H(TS2\\H(SIDj\\rj)) 
Check VI* I VI j 

Compute TCj = H{Kgwn„s\\SI Dj) 
Compute Qj = H(TS 3 \\H(SIDj\\rj)) 
Compute REGj = H(H(SIDj\\rj)\\TS 3 ) ^TCj 

Send {TS 3 ,Qj.REGj} 



Store TCj in its memory 



Before deployment of sensor nodes in a target field, each Sj performs the following steps 
for registration. 

(S-l) Sj computes VIj = H(TS 2 \\H(SIDj\\rj)) and sends {SIDj, TS 2 , VIj} to GWN via an open and 

public channel, where TS2 is current timestamp value of Sj. 
(S-2) After receiving the message from Sj, GWN checks if \TS 2 — T* GWN I < AT, where T* GWN is the 

current system timestamp of GWN and AT is the expected time interval for the transmission 
delay. If it does not hold, GWN sends REJ message back to Sj. Otherwise, GWN retrieves its 
own copy of H{SIDj\\rj) by using the key "SIDf, computes VI* = H(TS 2 \\H(SIDj\\r } )) and checks 
if VIj* = VIj. If not, GWN terminates it; otherwise, GWN computes TCj = H{K GWN J\SID } ), Qj = 
HiTSjUHiSIDjUrj)) and REGj = H(H(SIDj Wrj) \\TS 3 )®TCj and sends {TS 3 , Qj, REGj} to Sj. 



Sensors 2013, 13 



9597 



(S-3) After receiving the message from GWN, Sj checks if \TS3 ~Tj I < AT, where 7) is the current 
timestamp value of Sj. If not, Sj terminates it. Otherwise, Sj checks whether the computed 
H(TS3\\H(SIDj\\rj) is equal to Qj. If they are equal, Sj computes its temporal credential TCj = 
REGj® H(H(SIDj)\\rj\\TST,) and stores it. Note that Sj does not need to store rj after finishing the 

phase. The communication handshakes of the registration phase of sensor node Sj are depicted 
in Figure 2. 

Figure 2. Communication handshakes of the registration phase of sensor node Sj. 



User (Ui) 



Gateway node 



Sensor {Sj} 



Insert smart card 

Enter IDi and P\Y, 

Compute H(H{IDi\\PWi\\n)) 

Check H(H(IDi\\PWi\\ri)) 1 H(Qi) 

If Ui passes the verification 

Compute Td = PTd * H(IDi\\PWi\\n) 



4.3. Login Phase 

If the user Ui wants to access sensor data from the wireless sensor network, t/j inserts a smart card 
into a card reader and enters IDi and PWj. The smart card retrieves r„ computes H(H(IDi\\PWi\\ri)) ^ 
H(Qi), and the smart card terminates this login request. Otherwise, U, passes the verification and 
he/she can read the information stored in the smart card. Ui computes TC, = PTCi@H(IDi\\PWi\\ri). The 

details of the login phase are shown in Figure 3. 

Figure 3. Illustration of the login phase of our advanced scheme. 



User (U t ) 



Gateway node 



Sensor 



Send {ID? r °,TS u VIi,CI u DIi} 

Compute Qi = CU e H{ID? re \\PW? re ) 
Compute IDi = Dh 8 H(ID* re \\PWr e ) 
Compute Pi = H(IDi\\TEi) 
Compute TCi = H (h'aw n -u\\Pi\\T Ei) 
Compute PTC'i = Td ffi Qi 
Store {H(-),H(Qi),TEi,PTCi} in smart card 
Issue smart card 

Store n in smart card 
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4.4. Authentication and Key Agreement Phase 

(A-l) Ut computes DID t = ID t ®H{TCi\ I TS4), Q = HiHilD.WPWMWTS^TQ) and PKS t = K t ® 

H(rCilira 4 H"000") and H(TCi\\TS A ). 
(A-2) After receiving the message from [/,-, GWN checks the validity of TS4. If TIS^ is valid for the 
transmission delay, GWN computes TQ = H(K GW N_u\\PiWTEi) and ID t = DIDt © 

H(TC*\\TS4) and retrieves £/ ; 's password-verifier of 2, = //(/Z) ; l IP W ; l I r r ) by using the 
parameter "ID". Then, GWN further computes C* = H(H(Qi\\TS 4 ) © TQ) and verifies 
whether C, = C ( . If it does not hold, GWN rejects t/,'s login request; otherwise, the 
status-bit is set to one and TS4 is recorded in the 4th field of the identity table to 
demonstrate £/ ; 's last login. GWN computes K = PKS i @H(TC l \\TS4 r \\"000") and chooses a 

nearby suitable sensor node Sj as the accessed sensor node. GWN further computes S/s 
temporal credential TQ = H(K GWN J\SIDj), DID GWN = ID { © H(DIDi\\TCj\\TS 5 ), 
C GWN = H(IDi\\TCi\\TS 5 ) and PKS GWN = Ki®H(TCj\\TS 5 ) and sends {TS 5 , DID h DID GWN , 
C G wn, PKS G wn} to Sj, where TS5 is current timestamp value of GWN. 
(A-3) After receiving the message from GWN, Sj checks the validity of TS5. If TS5 is valid for the 
transmission delay, Sj computes ID t = DID GW n © HiDIDiWTCjWTSs) and C* G wn = 
H(IDi\\TCj\\TS5) and check if C* G wn = C G wn- If not, Sj terminates this session. Else, Sj 
convinces that the received message is from a legitimate GWN. Moreover, Sj computes K { = 
PKS GW N®H(TCj\\TS 5 ), Cj = HiKjUIDiWSIDiWTSe) and PKSj = Kj®H(Ki\\TSe) and sends 

TS 6 , Cj, PKSj} to Ui and GWN. 
(A-4) After receiving the message from Sj, Ui and GWN separately computes Kj = PKSj® 

H(Ki\\TS 6 ) and C* = H{KjMDj\SIDj\TS 6 )- For GWN, if C* = Cj, Sj is authenticated by GWN. 
For the user Ui, if C/ = Cj, Sj and GWN are authenticated by t/,-. Finally, Ui and Sj can 
separately compute a common session key KEYij = H(K@Kj) and Ui and Sj will use KEYy 

for securing communications in future. 

After finishing the authentication and key agreement phase, the identity table is updated and the 
content of the identity table is shown in Table 3. The detailed steps of the authentication and key 
agreement phase are shown in Figure 4. 

Table 3. The identity table of GWN after finishing the authentication and key 
agreement phase. 

User Identity Password- Verifier Status-Bit Last Login Service Period 

IDi Qi 0/1 TS 4 TEi 
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Figure 4. Illustration of the authentication and key agreement phase of our advanced scheme. 
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Check C^-u-jy = Cgwn 
Compute PKScn iv © HiJCjWTSs) 
Compute C, = HlK,\\IDi\\SIDi\\TSe) 
Compute PKS, = K, © H{K,\\TSe) 
Send {SID„TSe,C„PKS,} Send {SI D,,TSe,C„ PKS,} 
Compute PKS, © /7(A',||TSs) Compute PKS, © H(KiHTSe) 
Compute flfKjII/D.HS/CjIlrSe) Compute H(K,HI D,HSIDA\TSe) 
Check C; L C, Check C, L Cj 

Compute session key KEY,, = H{K, t& K,) 



5. Security Analysis on Our Advanced Authentication Scheme 

In this section, for security analysis on our advanced authentication scheme, we use the threat model 
described in Section 3 and show that our proposed scheme can withstand the following security attacks. 
Let us consider the following threat scenarios. 

- Scenario 1. We assume that a privileged-insider of GWN can steal UiS identity and password 

verifier from the GWN's identity table. 

- Scenario 2. We assume that an attacker can eavesdrop Ufs registration message. 

- Scenario 3. We assume that a legal user's smart card has been stolen or lost and the attacker can 

extract the secret parameters stored in the smart card. 

- Scenario 4. We assume that f/,-'s identity IDj, password PWi and login parameters {//(•), H{Q,), 

TEj, PTd, rj are leaked to more than one non-registered users. 

5.1. Resistance to Stolen Verifier and Insider Attacks 

In registration phase of our advanced authentication scheme, Ut registers to GWN by presenting 
Qi = H(IDiWPWiWri) instead of PW, and H(PWi). For the threat model in Scenario 1, we assume that a 
privileged-insider of GWN can steal Ufs identity and password-verifier from GWN's identity table. 
Note that the value of r, is not revealed to GWN and the bit length of lr,l is large enough. If SHA-256 is 
used in our advanced scheme, the attacker may attempt to derive PWi and r, from password-verifier 
Qi = H(IDi\\PWi\\ri). Due to the intractability under the assumption of a secure one-way hashing 
function and the bit-length of r, is 160 bits. Thus, the probability to guess correct r, is 1/2 160 . Moreover, 
the attacker must guess a correct password PWi and the probability to guess a correct p character PWi 
approximated to l/2 6p . Therefore, it is computationally infeasible for the attacker to derive C/,-'s 
password PWi and random number r, at the same time because the probability approximated to 
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j/2 (6p+160> . As a result, a privileged-insider still cannot derive C/,'s real password PWi by performing 
off-line password guessing attacks on H(ID l \\PW l \\r l ) and our advanced authentication scheme is secure 
against stolen verifier and insider attacks. 

5.2. Resistance to Off -Line Password Guessing Attacks 

In step (U-l) of registration phase of our scheme, Ui sends {IDf n ', TSi, VZ„ CZ„ DZ,} to GWN via 
an open and public environment. For the threat model in Scenario 2, if an attacker Ua eavesdrops C/ ; 's 
registration message {TDf n ', TS\, VZ„ CZ„ Dli}. First, Ua cannot derive t/,'s password-verifier 
HilDiWPWiWrd from CZ, = H(IDr\\PW l pre )®H(ID i \\PW i \\r i ) because U A does not know t/,'s unique 

parameter H(ID l pre \\PW l pre ). Second, [7,'s password-verifier H(IDiWPWiWri) is under protection of a 
one-way hashing function and it is computationally infeasible without knowing t/,-'s identity ZD,, 
password PWi and the random number r ; . We assume the bit-length of ZD, is q characters and the 
probability to guess a correct m character ZD, approximated to l/2 6q . Therefore, it is computationally 
infeasible for the attacker to derive £/,'s identity ZD,, password PWi and random number r,- at the same 
time because the probability approximated to ]/2 (6 P +6q+160 \ On the other hand, in step (S-l) of registration 
phase of our scheme, Sj registers to GWN by presenting {SIDj, TS 2 , VIj = H(TS 2 \\H(SlD ] \\rjj) } instead of 
PWj and H(PWj). Therefore the attacker cannot launch an off-line guessing attack unless he/she knows 
the random number r ; . In this case, a possible off-line password guessing attack on user or sensor side 
is not working in our advanced scheme. 

5.3. Resistance to Smart Card Lost Problem 

The smart card lost problem is an inherent limitation of remote user authentication schemes. For the 
threat model in Scenario 3, we assume that C/,'s smart card has been stolen or lost and the attacker Ua 
can extract the secret parameters {//(•), H(Qi), TE t , PTCi, r,} stored in the smart card. However, in 
order to log in to GWN by using t/,-'s lost or stolen smart card, Ua needs to guess real identity ID t and 
password PWi correctly at the same time. In fact, it is computationally infeasible to guess these two 
parameters correctly at the same time in polynomial time since IDi and PWi are well-protected by a 
one-way hashing function. Therefore, our proposed scheme can withstand this type of attack too. 

5.4. Resistance to the Many Logged-in Users Problem 

For the threat model in Scenario 4, we assume that Ufs identity ZD,-, password PWi and parameters 
{ZZ(»), H(Qi), TEi, PTd, fi] are leaked to more than one non-registered users. However, the gateway 
node GWN maintained a status-bit field and a last login field in its identity table. Therefore, no one is 
allowed to login GWN at the same time out of all who know ZD,, PWi and valid parameters {ZZ(»), 
H(Qd, TEi, PTCi, n}- Based on the protection of GWN's identity table, the advanced scheme is secure 
against many logged-in users attacks. 

6. Comparisons of Related Schemes 

In this section, we will analyse the functionality and performance of our advanced scheme and 
compare it with Xue et al.'s scheme [24] and other related schemes [17,21]. Functionality and 
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performance comparisons of our scheme and other related schemes [17,21,24] are shown in Table 4 
and Table 5, respectively. In Table 4, we can see that our advanced scheme not only provides proper 
password protection and secure service billing, but also prevents many logged-in users attack and other 
attacks. According to the analysis results reported in [10,24], the time complexity of various operations 
in terms of T H and T E cc are listed in Table 5. We have compared the computational complexity using 
both formulated results and rough quantitative analysis in Table 5 for different phases: the registration, 
login and authentication phases of [17,21,24], and our scheme. For example in the test environment 
(CPU: 2.4 GHz, RAM: 4.0 G), we have run it 100 times to get the average result. T H is about 3,000 
times faster than Tecc (Th is nearly 0.0002 second on average when using SHA-256 and T E cc is nearly 
0.6 second on average when using ECC-160). Our advanced scheme, Yeh et al. [21] and 
Xue et al. [24] all provide the functions of session key agreement and mutual authentication between 
each two of the user, GWN and the sensor node. 



Table 4. Functionality comparisons of our advanced scheme and related schemes. 



Items/Schemes 


Das [17] Yeh etal. 


Xue et al. 


Our Advanced 


(2009) [21] (2011) 


[24] (2013) 


Scheme 


Mutual authentication 


No Yes 


Yes 


Yes 


Key agreement 


No Yes 


Yes 


Yes 


Password protection 


No No 


No 


Yes 


Provision of service billing 


No No 


Yes 


Yes 


Resistant to stolen verifier attack 


Yes Yes 


No 


Yes 


Resistant to insider attack 


No Yes 


No 


Yes 


Resistant to lost smart card attack 


No No 


No 


Yes 


Resistant to many logged-in users' attack 


No No 


No 


Yes 


Table 5. Performance comparisons of our advanced scheme and related schemes. 


„ . . . Das [17] 
Participant/Computations (2009) 


Yeh et al [21] Xue et al. [24] 
(2011) (2013) 


Our Advanced 
Scheme 


User(t/j) 4T H 


1 Th + 2 T E cc 


1T H 


9T H 


Sensor (5,) 1 T H 


3 T H + 2 T E cc 


5T h 


6T h 


Gateway node (GWN) 7 T H 


4T H + 4T ECC 


10 T H 


11 T H 


Computation costs 12 T H 


8 Th + 8 Tecc 


22 T h 


26 T H 


Computation time 0.0024 s 


4.8016 s 


0.0044 s 


0.0052 s 


T H : Time for SHA-256 one-way hashing computation; T ECC : Time for ECC-160 encryption/decryption 



computation; s: Second. 



Moreover, our scheme and Xue et al. [24] both provide the service billing function. Our advanced 
scheme requires 9T H for the user, 6T H for the sensor node and IIT H for GWN. Assume 
T H = 0.0002 second and Tecc = 0.6 second according to our simulation. 

Compared with other three schemes which cannot ensure password protection, all participants in 
three phases of our advanced scheme require about 0.0052 seconds, which can be almost ignored, so 
our advanced scheme does not increase too much computational complexity while providing more 
function requirements and preventing more security attacks. 
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7. Conclusions 

In this paper, we have analyzed the vulnerability and security attacks existing in Xue et a/.'s 
temporal-credential-based mutual authentication scheme and proposed an advanced secure 
authentication scheme which can satisfy mutual authentication and key agreement between the user, 
the gateway node and the sensor node. Compared to the existing schemes, our advanced scheme 
supports extra functionalities such as user password protection and login recording strategy for 
enhancing the system security. In addition, through the use of lightweight one-way hashing 
computation, our authentication scheme significantly reduces the implementation cost. Through 
informal security analysis, we have shown that our proposed scheme has the ability to resist various 
known attacks, including stolen verifier attacks, insider attacks, lost smart card problems and many 
logged-in users attack, etc. As a result, extra functionalities are added and its higher security along 
with low computational cost make our advanced scheme very appropriate for securing wireless sensor 
networks in practice. 
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